PHI Potentially Exposed Due to Phishing Attacks on UNC Health and Nebraska DHHS

The Nebraska Department of Health and Human Services has made an announcement about a security incident that involved the protected health information (PHI) of clients of Aging Partners, a department of the City of Lincoln.

The Lincoln Information Services Department discovered the breach on May 25, 2021. Employees had responded to phishing emails and exposed credentials to their email accounts, which had more than 46,000 email messages. A computer forensics agency helped in determining that an unauthorized individual accessed the email account between May 18 and May 21.

An audit of the messages in the account verified that some had patient data including names, dates of birth, addresses, phone numbers, Social Security numbers, type/amount of service, dates of service, and a number of health data such as diagnoses, care checks, and medication details. Emails likewise contained bank account numbers or other financial details of a limited number of people. 6,600 of the email messages contained the PHI of Aging Partners’ customers, but only 1,513 persons were affected. For many affected people, only names were found in the email accounts.

All individuals impacted by the attack are now being informed and credit monitoring and identity theft protection services are being provided to persons who had their financial data included in the compromised email accounts.

UNC Health Reports Phishing Attack

UNC Health submitted a report that an unauthorized person accessed an email account made up of the PHI of patients of the University of North Carolina Hospitals (UNC Hospitals) and University of North Carolina at Chapel Hill School of Medicine (SOM).

On May 20, 2021, UNC Health found out about the compromise of the email account of a SOM faculty member. That individual is a provider of healthcare services at UNC Hospitals. The email account was secured immediately, and an investigation was begun to find out the magnitude of the breach. With the help of a third-party cybersecurity company, UNC Health confirmed that the email account breach was limited to April 20, 2021. The breach did not impact any other email accounts or systems.

An analysis of the account revealed the potential breach of the following types of information: Patients’ names, birth dates, diagnosis and treatment details, and/or data regarding a research study patients may have been engaged in or were entitled to at UNC Hospitals/SOM. The email account included the health insurance details of fewer than 30 patients and the Social Security numbers of less than 10 patients. There were no reported instances of patient data misuse.

Additional email security procedures are being executed and workers are being given additional training to help them recognize phishing emails.

About Christine Garcia 1297 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at